SB2026040834 - Multiple vulnerabilities in OpenClaw
Published: April 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote user to reset administrative sessions.
The vulnerability exists due to improper access control in the Gateway agent RPC handler in src/gateway/server-methods/agent.ts when processing /reset or /new messages with an explicit sessionKey. A remote user can send a specially crafted RPC message to reset administrative sessions.
The issue occurs because this path does not enforce the operator.admin guard required by the direct sessions.reset RPC.
2) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote attacker to bypass replay protection.
The vulnerability exists due to improper access control in webhook-security.ts when verifying Plivo V2 signed requests with query-only URL variants. A remote attacker can send a signed request with modified query string parameters to bypass replay protection.
The issue arises because signature validation canonicalizes the base URL without query parameters, while the replay key is derived from the full verification URL including the query string.
3) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote attacker to bypass Canvas HTTP and WebSocket authentication.
The vulnerability exists due to improper access control in authorizeCanvasRequest(...) in src/gateway/server/http-auth.ts when handling local-direct loopback Canvas and A2UI requests. A remote attacker can send specially crafted loopback Canvas HTTP or WebSocket requests to bypass Canvas HTTP and WebSocket authentication.
The issue affects local-direct loopback requests that were treated as an unconditional allow path before bearer authentication or an active node canvas capability was checked.
Remediation
Install update from vendor's website.